GHSA-xg2h-wx96-xgxr: 
vulnerability analysis and mitigation

A security-sensitive bug was discovered in the Masterminds/goutils Go package affecting versions < 1.1.1. The vulnerability impacts the RandomAlphaNumeric(int) and CryptoRandomAlphaNumeric(int) functions, which were found to produce less random output than intended. The issue was discovered by Erik Sundell of Sundell Open Source Consulting AB and was patched in version 1.1.1 (GitHub Advisory).

The vulnerability stems from a mistaken regular expression that only accepted random strings if they contained a digit from [0-9]. This implementation flaw resulted in a reduced randomness output. For example, RandomAlphaNumeric(1) would always return a digit in the 0-9 range, while RandomAlphaNumeric(4) would only return approximately 7 million of the possible 13 million permutations. The issue has been assigned a low severity rating (GitHub Advisory).

Programs that rely upon these random generators for password generation are at an increased risk of brute force-style password guessing attacks. Additionally, there is a higher probability of collision in the generated values due to the reduced randomness space. This particularly affects applications using these functions for security-sensitive random string generation (GitHub Advisory).

The issue has been fixed in version 1.1.1 of the package. For users unable to upgrade, a workaround is available by using RandomAlphaNumericCustom(N, true, true) or CryptoRandomAlphaNumericCustom(N, true, true) instead, where N is the desired length and true represents the literal boolean true (GitHub Advisory).